Checking UNIX/LINUX Systems for Signs of Compromise - UCL

More documents

Recommendations

Info

Aims One of the main aims of this document is to address the lack of documentation concerning concrete actions to be taken when dealing with a compromised *nix system. The document will try to be as generic as possible, so you may find tools for specific platforms are better suited. A secondary goal is an explanation of methods of examining this information via tools. Utilizing these tools we can then : • investigate the system • find the points of entry and type of compromise • identify areas for further investigation and issues for attention.
Introduction This guide does not cover the administrative aspect of a compromise, rather it is intended to outline useful tips in finding malware, links to tools for examining the system and define the reasons for undergoing this work. This document will deal with basic levels of intrusion analysis, it is unlikely that the tools and techniques will be able to detect the presence of rootkits or other methods of data hiding. This report is aimed mainly at intrusions on desktop systems, or initial examination of servers, it is not an in depth technical discussion of recovery of mission critical servers. It should also be noted that a number of these tools will change the file system - this will more than likely make the drive inadmissible as evidence. If you think you might want to involve law enforcement, this isn't the guide to read! Compromises can occur in a number of ways, possibly a machine was maybe unpatched against a certain vulnerability, or the user is using weak passwords . However the machine has been compromised, it is important to analyze the system to work out how the intruders got in, as this will give you the means for preventing entry in the future - it is useless to reformat and reinstall a box, only to leave the same way in wide open. Understanding the mode of entry can also help determine if other machines on your site have been compromised, i.e. was entry gained through a service unique to this machine, or common to the whole site or department ? However entry was gained, one of the most important things you can do is update the system, most *nix platforms have some sort of update mechanism which can be used to get the new software. Once the machine has been updated, you should run netstat and ps to make sure that the patches havent overwritten a config file and enabled services you had previously disabled. A second important aid to examining intrusions is logging, tools such as tripwire and Samhain can be used to provide extensive logs. Another problem however is that it is common for intruders to wipe log files when they gain entry to a system so if possible for mission critical machines, you may want to consider central storage for log files. In nearly all cases, the easiest way to recover from a compromise is a fresh re-install of the machine, with any appropriate data being restored from known, good and trusted backups, again at this point it helps if you know when the machine was first compromised. In certain cases it can be argued that a re-install is not feasible, due to political or operational reasons. In cases like this, it is worth considering the fact that if you do not re-secure the machine effectively, the miscreants may damage the machine's operating system, programs and data beyond repair, or simply use the machine to compromise other machines resulting in liability issues.
Page 1: Checking UNIX/LINUX Systems for Sig
Page 5 and 6: Sometimes the obvious tools ... Int
Page 7 and 8: The command rpm -Va will verify all
Page 9 and 10: On Solaris, depending on packages i
Page 11 and 12: Observing Traffic on the Machine On
Page 13 and 14: • adore-ng • suckit • portace
Page 15 and 16: Software tools to help This section

Checking UNIX/LINUX Systems for Signs of Compromise - UCL

Create successful ePaper yourself

Delete template?

Save as template?